GryphonCTF_2016: IWanTix2

Category: Web
Points: 30
Description:

Get into the organiser's network and generate tickets so you can sell it at a very low price to our dear admin QR!
Play at http://play.spgame.site:8002
Creator - Kelvin Neo (@deathline75)
Creator - Chen Qiurong (@pc84560895)

Write-up

This time around, we are given a url that leads to a very snarky reply by the web server.

Didn't your parents tell you not to look at unauthorised pages?
Unless you are an administrator, then please login locally.

Opening up Developer's Console in Chrome reveals a delicious header.

Credentials:Look out for port 8001,user:webadmin,pass:webadmin

Connecting to port 8001 via browser, you get nothing! Or a weird OpenSSH version header anyways. So, we try to connect to it via shell.

$ ssh webadmin@play.spgame.site -p 8001
webadmin@play.spgame.site's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 12 14:55:07 2016 from 103.26.223.115
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
webadmin:~$

Viola! Well, now we are in a limited shell. What do we do now? Hmm...

webadmin:~$ ?
clear exit help history lpath lsudo
webadmin:~$

Upon further researching, it appears we are in a limited shell, or lshell, in short. Doing some research on CVEs, we find an exploit for lshell.

Epic motherload right there.
Therefore, the flag is GCTF{7unn3l_4nd_1nj3c7}.

EDIT: This was actually a bug and team JEAM was awarded 3 points for the discovery and report of this bug. What misers the organizers are.
EDIT2: This was supposd to be solved via ssh webadmin@play.spgame.site -p 8001 -L 1337:localhost:8002, accessing localhost:1337 and injecting SQLi code. Well, I think my method was abit more epic.